We will start using Microsoft Intune for all our devices soon, and while configuring Intune, the question came up of which certificate to choose, for authentication etc.
I have followed this link and others similar: https://learn.microsoft.com/en-us/intune/certificates-configure
However these links only explain how to install CA's, configure settings etc. I can not find a clear differentiation between the 2 certificates (SCEP and PFX) and why one would choose one over the other.
Are there any general guidelines to follow?
Edit: Our devices are mostly company laptops, with Windows 10.
It's hard to say how to choose one kind rather than the other one. It really depends on what devices you're using and what platforms runs for those devices:
You can create and assign a PKCS or SCEP certificate profile for
devices running the following platforms:
iOS 8.0 and later
Android 4.0 and later
Android for Work Windows 10
(desktop and mobile) and later
You can only use a SCEP certificate
profile for devices running the following platforms:
macOS 10.9 and later
Windows Phone 8.1 and later
So, it's clear that If your devices are using macOS 10.9 and later
,Windows Phone 8.1 and later platforms, you must choose to use SCEP certificates.
Also, it sometimes depends on what CA that your Network devices support. E.g, if your VPN devices only supports SCEP CA,you just need to use SCEP CA.
You can also refer to this Tech Note of Cisco to find more details about SCEP and PKCS.
For same devices:
If you are building a prototype or a small not critical service then go with PKCS12.
If you use SCEP profiles, you need to configure a Network Device Enrollment Service (NDES) server. So,If you are building a serious product (production and touching devices of people with sensitive info) then go with SCEP (you can get a free SCEP servers. It's not that complex).
Hope this helps!
Related
Is it possible to obtaining a licensed developer certificate for signing security-reviewed, community-developed open source SGX software binary in production mode, and publish it on open source repository like apt or rpm?
I just asked Intel SGX team, they said only verified vendors are able to obtain a certificate and run in production mode. It just like Apple’s App Store, no open source code allowed, right?
Well, it's possible, but it's a quite complicated task,
You will need to register yourself or your organization as an ISV with Intel, which is not an easy task, i.e. one of the requisites for the Remote Attestation is Mutual TLS, therefore and in order to get it working you need a Certificate which must be publicly available on an URL you control, so trust can be established between Intel and your server.
I know that a MDM Client is an integral part of Windows 10 and hence it is available on any device running windows 10.The following link explains MDM on Windows 10 in great detail and depth:
https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-mobile-and-mdm
However, I am curious to know(and code) that is it possible to write a custom MDM Client for Windows 10 Mobile/Desktop/Device and how.
Thanks!!
That is not possible, simply because there are no MDM APIs exposed by the OS.
You could write an app that talks to your server and executes commands in sequence, which would mimic the base flow of an MDM protocol. However, the app will be very limited in terms of what it can actually achieve. E.g. you won't be able to install apps, configure accounts, etc.
You could install certificates, although i am not sure those will be system-wide available, and get the basic device info (network hw addresses, battery level etc).
I tried to install a hardware I've installed in my previous computer under Windows 7, basically an external network card with antenna, but when I try to use it, after installed it I get this bluescreen error:
BUGCODE_NDIS_DRIVER
I don't know if it's possible to fix it, any useful information?
PS: If this isn't the best Stack forum, please guide me to the right one.
There is some technical information on Windows Dev Center - Hardware on this bugcheck. Driver developers can find the cause from the bugcheck code and parameters.
I can duplicate the BUGCODE_NDIS_DRIVER blue screen on my Windows 8.1 developer box fairly easily by opening two different VPN tunnels. Luckily, I don't need both running at the same time, so my solution is "don't do that".
For example, I open SonicWALL Global VPN Client to connect to one network. Then, I open the Cisco VPN client to connect to another. The crash happens almost immediately.
If you have two active network card, deactivate one, that is all.
I have Hyper V enabled Windows 8.1 system but when I try to debug my windows app in Emulator it shows error message as follows:
http://social.msdn.microsoft.com/Forums/wpapps/en-US/b06cc9f2-aa5e-4cb3-9df1-0c273e1dfd68/wp8-emulator-xde-troubleshooting-tips?forum=wptools
this need to be followed for this case specially:
Workaround: disable all third party drivers and applications which may be interfering with the virtual network used by the Emulator to communicate with Visual Studio. This may include:
Antivirus applications (which hook into the network stack)
Network monitoring tools
Network logging tools
Other system monitoring software
Another possible approach, short of uninstalling the product(s) in question (and requesting the product developer to release an updated version), here is a possible workaround:
Launch the “Network Connections” manager (from the home screen, type in “View Network Connections”, It will be listed under Settings)
Right click on the adapter named: “vEthernet (Internal Ethernet Port Windows Phone Emulator Internal Switch)”
For that adapter, the only items that should be checked under “This connection uses the following items:” should be:
Client for Microsoft Networks
QoS Packet Scheduler
File and Printer Sharing for Microsoft Networks
Microsoft LLDP Protocol Driver
Link-Layer Topology Discovery Mapper I/O Driver
Link-Layer Topology Discovery Responder
Internet Protocol Version 6 (TCP/IPv6)
Internet Protocol Version 4 (TCP/IPv4)
All other items should be unchecked.
I was looking into OWASP Top 10 Mobile Risks for security issues to be kept in mind while developing mobile applications. They have given very good information pertaining to Android and iOS platforms. Some notable ones include Client Side Injections, iOS Abusing URL Schemes, Android-Abusing Intents, Keystroke logging, Screenshots/iOS Backgrounding, Logs etc.
These were very useful and now I want to know if there are any new vulnerabilities that exist in Windows Phone 7 , which were not present in Apple iOS and Google Android.
My requirement is, I need to build somewhat like a Damn Vulnerable WP7 App to educate the WP7 developers in my project to build secure applications for our clients.
OWASP has already built iGoat (iOS application) and DroidGoat (Android application) for the sake of iOS and Android developers. I dont see any such application for Windows Phone 7.
Currently WP7 appears to be a very secure OS. Whilst I am sure it has vulnerabilities, these have not been exploited yet. Interestingly AVG released an anti-virus / malware app for WP7. This was pulled from the marketplace because it didn't actually do anything since there are no viruses for the phone yet!
http://www.winrumors.com/microsoft-pulls-avg-antivirus-windows-phone-app-from-the-marketplace/
There has been a recent SMS flaw discovered:
http://nakedsecurity.sophos.com/2011/12/14/windows-phone-7-5-susceptible-to-sms-hack/
Having said that, there is still a need to educate developers about security. You can of course build an application which has its own security vulnerabilities by failing to protect the users data for example.
if there are any new vulnerabilities that exist in Windows Phone 7
Actually, I dare say there ain't any old ones either. Most of the security issues on Android is caused by the ability to change the system 110%. Windows Phone don't have intents, don't allow process inspection, or access to the raw file-system.
As Colin said, the security issues there can occur is related to data handling. For instance, the isolated storage can be inspected by jailbreaking the device, and as such you can read out unencrypted passwords (or other personal data) from the isolated storage.
However, to jailbreak a device, you need physical access to it. And you can't remote install a application for inspecting the isolated storage, even if the device was jailbreak'd. It can only be done by USB.